Bank-card-sniffing shop menace Punkey pinned down in US Secret Service investigation
Never Mind Other Malware, Here's the Hex Pistols
Security researchers have identified a new strain of point-of-sale (POS) malware during an investigation led by the US Secret Service.
Stolen payment card information and the IP addresses of more than 75 infected sales tills were found by security researchers at Trustwave during the probe. It's unclear how many victims the so-called Punkey POS malware has claimed.
Trustwave researchers found the sensitive data while analysing multiple command-and-control servers used to hijack Windows PCs infected by Punkey. Their study of the operation's source code suggests that multiple cybercrooks have had a hand in developing the malware.
Punkey — which is similar to the previously discovered NewPOSthings family of malware captured by security researchers at Trend Micro and Arbor Networks — hides inside the explorer.exe process on Windows POS systems.
Once activated, the malicious code scans the memory of other running programs for card holder data before uploading any information to a command and control server. Infected drones periodically poll C&C nodes for software updates.
Researchers estimate Punkey gets installed by either exploiting easy-to-crack passwords used for remote access software on the POS systems, or through cashiers using the POS system to browse malicious websites or open phishing emails.
The Punkey malware bundles keylogging functionality which, like other snaffled data, is automatically uploaded to command servers. This data (uploaded 200 keystrokes at a time) allows cybercrooks to capture usernames and passwords and other important information.
Three versions of Punkey have been identified.
In one case, the VXer used AES encryption with an embedded key without changing a single digit of the key or the IV. This crypto oversight allowed security researchers at Trustwave to put together a decryption tool before decrypting attack traffic.
An FAQ on Punkey with more information can be found on Trustwave's blog, here. ®